Justifying a security information and event management (SIEM) platform is relatively simple – your CTO needs a way to ensure that systems are properly optimised, that the environment is properly de-risked and that every asset is properly optimised for maximum performance. By ingesting, processing and prioritising event logs from various hardware assets, SIEM is an important tool for assessing infrastructure health.
However, as technology evolves, traditional on-premise SIEM platforms are proving to be more of a hindrance than a help. Among the issues you might be facing are:
Traditional SIEM is not up to the job:
Among organisations that receive daily security alerts, an average of 44% of those alerts are not investigated*
Of those alerts investigated, 34% are deemed legitimate*
Of those deemed legitimate, 51% of alerts are remediated*
Nearly half (49%) of legitimate alerts are not remediated*
As infrastructure becomes more complex, the Security Operations Centre (SOC) team must deal with an even greater volume of incoming alerts and events. But given that they cannot keep pace now, how many more alerts will have to be ignored or side-lined in future?
Microsoft Azure Sentinel has been specifically designed to address these challenges. Hosted in the cloud, Azure Sentinel provides intelligent SIEM tools to monitor and action event log data from across your entire IT estate – including on-premise data centres. Log ingestion is complemented by machine learning (ML) and artificial intelligence (AI) to increase detection accuracy and utilising the security orchestration automation and response (SOAR) integration to help automate your response.
The operational benefits of Azure Sentinel
Linked to your entire IT estate, Azure Sentinel can import and process millions of events every day. This has the net effect of accelerating operations, increasing efficiency and reducing overall demand on finite IT resources.
Rapid time to deployment
Like most hosted services, initial sign-up to Azure Sentinel can be completed in a matter of minutes. Connecting Microsoft cloud services is quick and simple, allowing you to begin analysing event logs the same day.
Maple's managed service can rapidly deploy agents to your on-premise Windows devices too. Depending on your environment and existing assets, our engineers can deploy scripts using Windows Admin Centre, SCCM, SCVMM, PowerShell, Ansible, Puppet Chef and more.
Using a dedicated virtual machine, you can onboard your local Linux-based systems and firewalls to route their logs for processing, analysis and reporting in Sentinel via Common Event Format (CEF), Syslog or REST-API protocols. Azure Sentinel accepts logs from infrastructure and applications to ensure all of your mission-critical assets are being properly monitored and assessed.
Unlike traditional on-premise SIEM systems that require a lot of configuration – and perhaps custom development – Azure Sentinel is ready for immediate use. As a result, the cloud SIEM deployment can be completed in substantially less time with fewer resource. This means that you can begin generating actionable insights from your event logs faster than ever before.
When asked 'Assuming you could change your SIEM solution tomorrow, which outcomes would you most like to realise?', 21% of on-premise SIEM users chose a shorter deployment time."
The cloud now plays an important role in reducing downtime for mission-critical applications. Built-in load-balancing and automated fail-over make Azure a secure, robust platform for operations.
By moving SIEM capabilities into a cloud-based platform, you realise the same uptime benefits. Logs continue to be collected and analysed, ensuring that no alerts are missed and that disruption is minimised.
From an operational standpoint, reducing downtime will help to strengthen your security posture and ability to address issues quickly. Remember, improved SIEM availability will also help to reduce downtime across the rest of your IT estate too.
Automated device enrolment
Once configured, Azure Sentinel can automatically enrol your devices hosted in various cloud platforms – including Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP).
Automating the enrolment processes solves two problems. First, it accelerates the initial deployment of your cloud-based SIEM, so that you can begin ingesting more event logs more quickly. Second, auto-enrolment ensures that none of your assets is overlooked, providing complete coverage and visibility of your infrastructure.
Achieving total visibility is crucial to helping the Azure Sentinel machine learning engine define a standard baseline of operations – because this will inform all future alert categorisation and event automation.
Single pane of glass administration
By centralising log files from across your entire estate, Azure Sentinel makes it possible to analyse and report on alerts throughout the entire infrastructure. This is important because it reduces the number of consoles your SOC team needs to access and reduces the risk of critical alerts being missed.
Azure Sentinel dashboards provide at-a-glance access to key metrics from on-premise assets and cloud services. Your team can easily monitor system health, fault resolution progress, threat-hunting activities and more from a single console. Importantly, they can also run queries in real-time across event log data without any impact on performance.
As the single point of reference for all event logging activities, Azure Sentinel reduces time that would be wasted switching between consoles or extracting and comparing data from different SIEM platforms.
Application event monitoring
SIEM platforms are typically limited to analysing event logs from infrastructure assets – servers, routers, firewalls etc. To address the increasingly service-driven operating environment, Azure Sentinel also accepts log input from applications.
This gives the SOC team deeper insights into the overall health of the environment and the attack surface. It also means that the same Azure Sentinel AI-driven playbooks can be used to mitigate events and issues at the application level too. By bringing application event management into the core SIEM system, you are adopting a holistic approach to security that covers the entire technology stack.
Importantly, Azure Sentinel’s machine learning algorithms help to classify and triage alerts automatically. This filtering cuts through the background noise, surfacing only those alerts that require additional investigation by the SOC team. Simplifying the discovery process helps to reduce ‘alert fatigue’, identified as a major issue for IT staff.
Azure Sentinel extends your SIEM capabilities and reduces the burden on your team.
Cloud SIEM reduces many of the effects of alert fatigue reported by IT managers who previously used on-premise solutions:
SIEM platforms are useful for collating and centralising event logs, but their full value is realised by integrating SOAR capabilities. This is where your platform management becomes much smarter. The SOAR capabilities of Azure Sentinel not only surface important alerts but can also be configured to automate initial steps to mitigate threats and breaches.
Using ‘playbooks’, i.e. a series of pre-configured automated steps, that define what actions are taken when a threat is detected, Azure Sentinel can do several things. At the most basic level, a new case (with all relevant event log and analytics) can be raised in the IT service management (ITSM) platform and alerting the security team. Another playbook may see user accounts automatically disabled in Active Directory when suspicious activity is detected.
Automating the initial stages of fault resolution not only accelerates your response to threats but also frees up the security team to focus on developing and deploying long term fixes for in-depth technical challenges. They also have more time available for threat-hunting activities, proactively seeking out potential weaknesses and areas for improvement before they can be exploited.
With an ongoing shortage of skilled, experienced security specialists, automation is crucial to plugging the gap.
The commercial benefits of Azure Sentinel
The operational benefits of Azure Sentinel that we’ve discussed above will usually result in greater efficiency and better allocation of budgets and resources. Greater visibility of events, and the ability to detect and block issues sooner, helps to reduce the costs associated with data breaches and losses.
However, there are also some additional commercial benefits to be aware of:
Pay-as-you-go (PAYG) pricing model
Traditional on-premise SIEM systems involve ongoing capital spend. Over time, the sheer volume of logs being generated every day will consume all available capacity. You end up regularly investing in more storage and processing power to cope.
Moving SIEM functions to the cloud allows you to take advantage of the flexible, PAYG charging model. You will never again run out of space, or face complaints from the security team who are unable to analyse data in real-time because of a lack of processing power.
No upfront storage investments
Instead of specifying and purchasing hardware up-front, you are billed for the resources you use plus a service fee from your provider to cover ongoing administration of the Azure Sentinel service, if you opt for a service. Remember, that demand can scale downwards too, helping to reduce spend.
PAYG billing saves not only the purchase price of new storage arrays, but also the cost of rack space, power and cooling. These savings add up over the course of the year, releasing funds for reinvestment in other strategic IT projects.
Service and privacy insights
SIEM logs are typically considered in terms of security and system health – but they can also be used to add granularity to other analytical functions. Azure Sentinel is capable of ingesting any log where remote logging is available, from any asset or application you choose to monitor.
For instance, increased remote working has seen businesses rapidly adopting new technologies, like video conferencing, to enable collaboration. The urgency of the situation means that many of these applications have not undergone the usual rigorous testing prior to deployment.
By ingesting logs from the video conferencing app, Azure Sentinel can apply the same monitoring functions as it does for your infrastructure. Azure Sentinel quickly establishes a baseline of normality and alerts you to any potentially unwanted activity. Your team can see how an app is being used and where potential security vulnerabilities exist. Furnished with real usage data, you can make informed decisions about capacity planning – or whether a specific application presents a significant security/privacy risk.
Plugging gaps in expertise
Skilled, experienced security specialists are in high demand, commanding a premium salary and benefits package. Even the hiring process can be expensive – but you cannot properly protect your assets without competent security engineers.
Moving SIEM to the cloud and integrating with SOAR offsets some of these staffing requirements. Microsoft engineers ensure that the underlying Azure Sentinel platform is running available, while with a managed SIEM service, partner engineers assist with deploying and optimising Azure Sentinel agents and playbooks. This frees up your own staff to get on with the business of identifying and fixing issues without having to dedicate resources to “keeping the lights on”.
Azure Sentinel also helps to reduce ‘alert fatigue’ where the security team are overwhelmed by the constant flood of incoming events that need to be assessed and actioned. As mentioned previously, this fatigue effect accelerates workforce attrition leaving you with the headache and cost of hiring replacements.
Ultimately, an Azure Sentinel-based SIEM service, like the one from Maple Networks, ensures you get maximum value from your investment in people.
Data loss or theft can have massive financial ramifications for your business. A severe security breach exposing protected personally identifiable information could result in a General Data Protection Regulation (GDPR) fine of up to €20m or 4% of the company’s global annual turnover, whichever is higher.
Azure Sentinel automates event log analysis, shortening the time to detection. This, in turn, allows your security team to contain security incidents and minimise the overall impact. The faster your team can resolve issues, the lower the overall cost.
Building for the future
Microsoft Azure Sentinel takes traditional SIEM technologies to the next level and leverages the power of the cloud to monitor your entire IT estate.
By combining machine learning, artificial intelligence and automation, Azure Sentinel empowers your security team to be more efficient and effective. Operations can only improve as insights driven by the platform are used to reduce security risks and optimise systems and processes.
The obvious result of these efficiency gains is a greater return on investment. Plus, the savings created can be funnelled back into strategic projects that will help grow the business.
To learn more about exactly what Azure Sentinel can do for your business, please get in touch.